nessus-parser 0.3.0

A parser for `.nessus` (v2) XML reports
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246

//! Parse and normalize `plugin_output` text from ping-related Nessus finding.

use crate::{MacAddress, error::FormatError};

/// Structured interpretation of the `plugin_output` text for
/// Nessus plugin `10180` ("Ping the remote host").
#[derive(Debug, Clone, Copy)]
pub enum PingOutcome {
    /// The host was marked dead after no response to one or more ping methods.
    HostDidntRespondToPingMethods { tcp: bool, icmp: bool },
    /// The host replied to an ICMP echo packet.
    IcmpEchoPacket,
    /// The host is local-network reachable via ARP checks but did not answer ARP who-is.
    HostLocalNetworkDidntRespondArpWhoIsQuery,
    /// The host replied to an ARP who-is query with the given MAC address.
    ArpWhoIsQuery(MacAddress),
    /// The host replied with ICMP unreachable to a TCP SYN probe sent to `to`.
    IcmpUnreachPacketInResponseToTcpSynPacket { to: u16 },
    /// The host replied to a TCP SYN probe with `RST,ACK`.
    RepliedTcpSynPacketWithRstAck { to: u16 },
    /// The host replied to a TCP SYN probe with `SYN,ACK`.
    RepliedTcpSynPacketWithSynAck { to: u16 },
    /// The host replied to a TCP SYN probe with `FIN,ACK`.
    RepliedTcpSynPacketWithFinAck { to: u16 },
    /// The host emitted a TCP SYN packet.
    EmittedTcpSynPacket { from: u16, to: u16 },
    /// The host emitted a TCP ACK packet.
    EmittedTcpAckPacket { from: u16, to: u16 },
    /// The host emitted a TCP PUSH,ACK packet.
    EmittedTcpPushAckPacket { from: u16, to: u16 },
    /// The host replied with a generic ICMP unreachable packet.
    IcmpUnreachPacket,
    /// The host emitted a UDP packet.
    EmittedUdpPacket { from: u16, to: u16 },
    /// The target host is the same machine as the Nessus scanner.
    LocalScanner,
}

impl PingOutcome {
    #[allow(clippy::too_many_lines)]
    pub(crate) fn from_plugin_output(plugin_output: &str) -> Result<Self, FormatError> {
        const LOCAL_SCANNER: &str = "The remote host is up\nThe host is the local scanner.";
        const ICMP_ECHO_PACKET: &str =
            "The remote host is up\nThe remote host replied to an ICMP echo packet";
        const ICMP_UNREACH_PACKET: &str =
            "The remote host is up\nThe remote host replied with an ICMP unreach packet.";
        const ARP_WHO_IS_QUERY_PREFIX: &str =
            "The remote host is up\nThe host replied to an ARP who-is query.\nHardware address : ";
        const REPLIED_TCP_SYN_PACKET_PREFIX: &str =
            "The remote host is up\nThe remote host replied to a TCP SYN packet sent to port ";
        const WITH_RST_ACK_SUFFIX: &str = " with a RST,ACK packet";
        const WITH_SYN_ACK_SUFFIX: &str = " with a SYN,ACK packet";
        const WITH_FIN_ACK_SUFFIX: &str = " with a FIN,ACK packet";
        const ICMP_UNREACH_PACKET_RESPONSE_TO_TCP_SYN_PACKET_PREFIX: &str = "The remote host is up\nThe remote host replied with an ICMP unreach packet sent in response to a TCP SYN packet sent to port ";
        const EMITTED_UDP_PACKET_PREFIX: &str =
            "The remote host is up\nThe remote host emited a UDP packet from port ";
        const EMITTED_PACKET_MIDDLE: &str = "going to port ";
        const EMITTED_TCP_SYN_PACKET_PREFIX: &str =
            "The remote host is up\nThe remote host emitted a TCP SYN packet from port ";
        const EMITTED_TCP_ACK_PACKET_PREFIX: &str =
            "The remote host is up\nThe remote host emitted a TCP ACK packet from port ";
        const EMITTED_TCP_PUSH_ACK_PACKET_PREFIX: &str =
            "The remote host is up\nThe remote host emitted a TCP PUSH,ACK packet from port ";
        const DEAD_HOST_NEEDLE: &str = ") is considered as dead - not scanning\nThe remote host (";
        const FAILED_TO_REPLY_ARP_SUFFIX: &str =
            ") is on the local network and failed to reply to an ARP who-is query.";
        const DIDNT_RESPOND_TO_PING_METHODS_NEEDLE: &str =
            ") did not respond to the following ping methods :\n";

        match plugin_output {
            ICMP_ECHO_PACKET => Ok(Self::IcmpEchoPacket),
            LOCAL_SCANNER => Ok(Self::LocalScanner),
            ICMP_UNREACH_PACKET => Ok(Self::IcmpUnreachPacket),
            text => {
                if text.contains(DEAD_HOST_NEEDLE) {
                    if text.ends_with(FAILED_TO_REPLY_ARP_SUFFIX) {
                        Ok(Self::HostLocalNetworkDidntRespondArpWhoIsQuery)
                    } else if let Some((_, ping_methods)) =
                        text.split_once(DIDNT_RESPOND_TO_PING_METHODS_NEEDLE)
                    {
                        let mut tcp = false;
                        let mut icmp = false;
                        for ping_method in ping_methods.trim_end().split('\n') {
                            match ping_method {
                                "- TCP ping" => tcp = true,
                                "- ICMP ping" => icmp = true,
                                _ => {
                                    return Err(FormatError::UnexpectedPingMethod(
                                        plugin_output.into(),
                                    ));
                                }
                            }
                        }
                        if !tcp && !icmp {
                            Err(FormatError::UnexpectedPingFormat(plugin_output.into()))
                        } else {
                            Ok(Self::HostDidntRespondToPingMethods { tcp, icmp })
                        }
                    } else {
                        Err(FormatError::UnexpectedDeadHostReason(plugin_output.into()))
                    }
                } else if let Some(mac) = text.strip_prefix(ARP_WHO_IS_QUERY_PREFIX) {
                    Ok(Self::ArpWhoIsQuery(mac.parse()?))
                } else if let Some(port) =
                    text.strip_prefix(ICMP_UNREACH_PACKET_RESPONSE_TO_TCP_SYN_PACKET_PREFIX)
                {
                    Ok(Self::IcmpUnreachPacketInResponseToTcpSynPacket { to: port.parse()? })
                } else if let Some(port_and_suffix) =
                    text.strip_prefix(REPLIED_TCP_SYN_PACKET_PREFIX)
                {
                    if let Some(port) = port_and_suffix.strip_suffix(WITH_RST_ACK_SUFFIX) {
                        Ok(Self::RepliedTcpSynPacketWithRstAck { to: port.parse()? })
                    } else if let Some(port) = port_and_suffix.strip_suffix(WITH_SYN_ACK_SUFFIX) {
                        Ok(Self::RepliedTcpSynPacketWithSynAck { to: port.parse()? })
                    } else if let Some(port) = port_and_suffix.strip_suffix(WITH_FIN_ACK_SUFFIX) {
                        Ok(Self::RepliedTcpSynPacketWithFinAck { to: port.parse()? })
                    } else {
                        Err(FormatError::UnexpectedPingTcpResponse(plugin_output.into()))
                    }
                } else if let Some(from_port_and_rest) =
                    text.strip_prefix(EMITTED_TCP_SYN_PACKET_PREFIX)
                    && let Some((from_port, rest)) = from_port_and_rest.split_once(' ')
                    && let Some(to_port) = rest.strip_prefix(EMITTED_PACKET_MIDDLE)
                {
                    Ok(Self::EmittedTcpSynPacket {
                        from: from_port.parse()?,
                        to: to_port.parse()?,
                    })
                // TODO: DRY
                } else if let Some(from_port_and_rest) =
                    text.strip_prefix(EMITTED_TCP_ACK_PACKET_PREFIX)
                    && let Some((from_port, rest)) = from_port_and_rest.split_once(' ')
                    && let Some(to_port) = rest.strip_prefix(EMITTED_PACKET_MIDDLE)
                {
                    Ok(Self::EmittedTcpAckPacket {
                        from: from_port.parse()?,
                        to: to_port.parse()?,
                    })
                } else if let Some(from_port_and_rest) =
                    text.strip_prefix(EMITTED_TCP_PUSH_ACK_PACKET_PREFIX)
                    && let Some((from_port, rest)) = from_port_and_rest.split_once(' ')
                    && let Some(to_port) = rest.strip_prefix(EMITTED_PACKET_MIDDLE)
                {
                    Ok(Self::EmittedTcpPushAckPacket {
                        from: from_port.parse()?,
                        to: to_port.parse()?,
                    })
                } else if let Some(from_port_and_rest) =
                    text.strip_prefix(EMITTED_UDP_PACKET_PREFIX)
                    && let Some((from_port, rest)) = from_port_and_rest.split_once(' ')
                    && let Some(to_port) = rest.strip_prefix(EMITTED_PACKET_MIDDLE)
                {
                    Ok(Self::EmittedUdpPacket {
                        from: from_port.parse()?,
                        to: to_port.parse()?,
                    })
                } else {
                    Err(FormatError::UnexpectedPingFormat(plugin_output.into()))
                }
            }
        }
    }
}

#[cfg(test)]
mod tests {
    use crate::error::FormatError;

    use super::PingOutcome;

    #[test]
    fn parses_common_ping_outcomes() {
        let icmp_echo = "The remote host is up\nThe remote host replied to an ICMP echo packet";
        assert!(matches!(
            PingOutcome::from_plugin_output(icmp_echo).expect("must parse"),
            PingOutcome::IcmpEchoPacket
        ));

        let local = "The remote host is up\nThe host is the local scanner.";
        assert!(matches!(
            PingOutcome::from_plugin_output(local).expect("must parse"),
            PingOutcome::LocalScanner
        ));

        let arp = "The remote host is up\nThe host replied to an ARP who-is query.\nHardware address : 0a:1b:2c:3d:4e:5f";
        assert!(matches!(
            PingOutcome::from_plugin_output(arp).expect("must parse"),
            PingOutcome::ArpWhoIsQuery(_)
        ));
    }

    #[test]
    fn parses_tcp_and_udp_based_outcomes() {
        let syn_ack = "The remote host is up\nThe remote host replied to a TCP SYN packet sent to port 443 with a SYN,ACK packet";
        assert!(matches!(
            PingOutcome::from_plugin_output(syn_ack).expect("must parse"),
            PingOutcome::RepliedTcpSynPacketWithSynAck { to: 443 }
        ));

        let emitted_udp = "The remote host is up\nThe remote host emited a UDP packet from port 68 going to port 67";
        assert!(matches!(
            PingOutcome::from_plugin_output(emitted_udp).expect("must parse"),
            PingOutcome::EmittedUdpPacket { from: 68, to: 67 }
        ));
    }

    #[test]
    fn parses_dead_host_ping_methods() {
        let text = "The remote host (1.2.3.4) is considered as dead - not scanning\nThe remote host (1.2.3.4) did not respond to the following ping methods :\n- TCP ping\n- ICMP ping";
        assert!(matches!(
            PingOutcome::from_plugin_output(text).expect("must parse"),
            PingOutcome::HostDidntRespondToPingMethods {
                tcp: true,
                icmp: true
            }
        ));
    }

    #[test]
    fn rejects_unexpected_ping_method_lines() {
        let text = "The remote host (1.2.3.4) is considered as dead - not scanning\nThe remote host (1.2.3.4) did not respond to the following ping methods :\n- UDP ping";
        let err = PingOutcome::from_plugin_output(text).expect_err("must fail");
        assert!(matches!(err, FormatError::UnexpectedPingMethod(_)));
    }

    #[test]
    fn rejects_unknown_dead_host_reason() {
        let text = "The remote host (1.2.3.4) is considered as dead - not scanning\nThe remote host (1.2.3.4) failed for an unknown reason.";
        let err = PingOutcome::from_plugin_output(text).expect_err("must fail");
        assert!(matches!(err, FormatError::UnexpectedDeadHostReason(_)));
    }

    #[test]
    fn rejects_unexpected_tcp_reply_suffix() {
        let text = "The remote host is up\nThe remote host replied to a TCP SYN packet sent to port 443 with a MAYBE packet";
        let err = PingOutcome::from_plugin_output(text).expect_err("must fail");
        assert!(matches!(err, FormatError::UnexpectedPingTcpResponse(_)));
    }

    #[test]
    fn rejects_unrecognized_ping_format() {
        let text = "completely unexpected";
        let err = PingOutcome::from_plugin_output(text).expect_err("must fail");
        assert!(matches!(err, FormatError::UnexpectedPingFormat(_)));
    }
}